17 Replies Latest reply: Nov 24, 2010 1:08 AM by Rishi Beri RSS

    Problem with AccessPoint login page

      Hi,

      We have QlikView Server 9 SR2 and we want to use the AccessPoint's default login page, but it seems not to be working. Can somebody explain step-by-step configuration for users authentication via the default login.htm?

      This is how our configuration looks like and let's say we use "NTFS Authorization (Windows controls file access)":

      error loading image

        • Problem with AccessPoint login page
          Lars Helmer

          hello,

          login.htm is supposed to be used if you utilize custom-users, which in turn is designed to be used with DMS-mode. it doesn't work in NTFS mode.

          why do you want to use the login page and not the default authentication?

          cheers,

          lars

            • Problem with AccessPoint login page

              Hi,

              Thanks for the quick answer.

              Indeed we want to use the login.htm with DMS mode and we just tryed it with NTFS. It is good to know it doesn't work with NTFS.

              Could you explain what exactly we should do in order it goes? Is it only we specify the DMS mode and the AD, or we should also set the "User name header" field? What is that field for?

                • Problem with AccessPoint login page
                  Lars Helmer

                  the login.htm page is designed for custom users (which can be set up on the DSC) and if you choose to use it the AD is not involved in authentication / authorization in any way.

                  user name header is used if authentication is handled by some 3rd party system that adds credentials to the http-headers, i.e., it doesn't apply if you use the login.htm page.

                  why do you want to use the login.htm if you have an AD?

                  cheers,

                  lars

                    • Problem with AccessPoint login page

                      Hi,

                      We tried to connect the server with our AD, but we are experincing some problems.

                      Our settings are:

                      http://community.qlik.com/cfs-file.ashx/__key/CommunityServer.Discussions.Components.Files/12/6661.config1.jpg

                       

                      And no one can access the AccessPoint except the local administrator of the machine the server resides. Do you have any idea why is that happening?

                      I tried also to set it up as a Custom Directory in order to have the login page (there is no particular reason we want to use the login page, except when we use it there is log off button in the AccessPoint) it didn't work.

                      Could you please explain in details or give example for a successful security setting? Are there any materials that explain how to set up security? I read most of the topics in the manual but i couldn't figure it out :(

                        • Problem with AccessPoint login page
                          Lars Helmer

                          when you say you can't access the accesspoint do you mean you get a http-error on the url or that you can't see any documents when you get there?

                          if you can't get to the url it could be a firewall issue.

                            • Problem with AccessPoint login page

                              I meant that when I get there it didn't accept my credentials if they were not the local administrator. But the problem was that the machine wasn't at the same domain as the access directory.

                               

                              And if I want to use DMS Authorization with Custom Users in order to use the login page for access (for example for external users) what are the steps to set up this architecture?

                                • Problem with AccessPoint login page
                                  Lars Helmer

                                  basically you need to:

                                  * set the QVS in DMS mode

                                  * set permissions on you documents in the DMS, either manually or by running your distribution tasks

                                  * setup a custom user provider on the DSC

                                  * add custom users, either manually, or using the the ldifimport tool available as a separate download.

                                  cheers,

                                  lars

                                    • Problem with AccessPoint login page

                                      Hi Lars,

                                      I've already read these instructions in the manual. The part "* setup a custom user provider on the DSC" is the most unclear one. Let me try to explain how far we've come for almost a week, what we decided our architecture should be and what issues we faced. First we wanted to connect the server with our AD. You explained that the login page works only with custom users which in fact was the answer maybe for this topic. We faced that if the server is not in the same domain as the AD it simply won't work. So we moved it and evrything worked fine with NTFS mode set for security and Active Directory for Directory Service Connector. Everyone could access the files through the access point, which was fine.

                                      Now we want to represent some files to our clients. But we don't want to use the anonymous account because there are files for one client and files for another client. We don't want also to make new records in this AD or new users or user groups in the OS itself. So we think for the custom directory for Directory Service Connector (with or without login page doesn't matter in order it just go). We want to setup QVS to work with Domino LDAP. And when we set it up in the log file says:

                                      18.11.2009 ?. 12:40:26.0980000 Information (CustomDirectory.CustomDirectoryServiceProvider) setting CU-Port to <389>
                                      18.11.2009 ?. 12:40:26.0980000 Information Initializing
                                      18.11.2009 ?. 12:40:26.0980000 Information Starting webservice at port 389
                                      18.11.2009 ?. 12:40:26.0980000 Information Initializing system webserver
                                      18.11.2009 ?. 12:40:26.0980000 Information Webserver security set to: Ntlm
                                      18.11.2009 ?. 12:40:26.0980000 Information Authorization groupname: QlikView Administrators
                                      18.11.2009 ?. 12:40:26.0980000 Information Initializing done

                                      which I suppose is good, right? But in the users tab it doesn't list the users (there are already some users created) and also no one can access the access point or the server except the server administrator account. Questions:

                                      1. Could you give instructions how to setup QV to work with Domino LDAP? More precise instructions for setting up security using custom users will be great, because personally I couldn't find anywhere in the community, blogs, google, etc. fine instructions. Moreover I saw some posts regarding security which were not answered at all which is very frustrating. Even a manual in the next versions how to set up security will be useful.

                                      2. When we already have existing users should they be listed in the Users tab when using custom directory?

                                      3. The log says "Webserver security set to: Ntlm". What is this, should and where it can be changed?

                                      4. When we use custom users should the access be ONLY through the login page?

                                       

                                      I think there will be more questions when we want to integrate some charts with our web applications but let's build the security first.

                                       

                                      Thanks in advance,

                                      Svetlin.

                                        • Problem with AccessPoint login page
                                          Lars Helmer

                                          i could have got it backwards, but it sounds like you want to use the custom users provider to connect the DSC to domino ldap and manage you users there. this is not how the custom users provider works, instead it is an alternative user catalogue in itself. so you add users and groups in the QEMC gui (or in bulk with a tool called ldifimport available as a separate download). it won't connect to any other catalogue (e.g., domino ldap).

                                          there is an API available for developing your own plugin to connect the DSC to any user catalogue, but this takes some time and C# development skills.

                                          ntlm security is the authentication protocol used by the services when communicating with the DSC.

                                          custom users requires that you always access through the login page, since no other way knows how to authenticate the user with the custom users provider.

                                          in short, if you want to use domino ldap you need a DSC plugin (called a DSP), and a new login page that can authenticate with domino ldap. if you are only planning to use domino ldap for QV i would recommend going for a custom users solution which would save you the development. the downside being that you need to add your internal users as custom users too (you cannot combine custom users uathentication with for example active directory).

                                          cheers,

                                          lars

                                            • Problem with AccessPoint login page

                                              ok, as far as I understood, if we choose to use custom users, we don't need domino ldap and it is only up to we create the users in the qemc?

                                              Questions:

                                              1. What should we type in the path field?

                                              2. From where we can download this ldifimport tool?

                                              3. We have already exported our users into ldif format. Where should we import those file with the ldifimport tool? I saw in older manual something like: "LDIFImport /f=c:\MyLdifFile.ldif /url="http://machine.com/Command Center/" /g=yes" is it the same?

                                              4. Where we can find the API to develop our own plugin?

                                                • Problem with AccessPoint login page
                                                  Lars Helmer

                                                  1. you can press the "get default" button (the one that doesn't look like an X) to get a valid path. for custom users it should always be "Custom". also, if you changed the port i would advise to change it back to the default (4735) or remember to modify the custom user address in the access point settings.

                                                  2. it should be on the download site, check 9.00, SR 2 and english.

                                                  3. i don't know, hopefully it's documented with the downloaded package.

                                                  4. i need to get back to you on this one, but please note that you don't need it if you are going for a custom users solution.

                                                  cheers,

                                                  lars

                                                    • Problem with AccessPoint login page

                                                      Hi Lars,

                                                      Finally it goes with custom directory! I have no explanation because we tried exactly this way a week ago but it didn't work. Maybe we did some mistakes and just have to look in the logs.

                                                      Yesterday there were some strange exceptions in the logs such as port 4735 was used from another application (we have only qlikview server on this machine?!!?) but with several restarts and some manual work it started working. Then we tried the ldifimport tool... it doesn't work with an exported file from domino ldap. So we searched for some example file and imported it. When importing this way the checkbox to enable user is not checked. We checked it and went to the login page. It finally worked. But I noticed that when you mistake your password it just stays this way. Isn't there some message to pop up or somehow say "you've mistaken your password" ?

                                                      Finally I still need the API, because my manager want to connect the qlikview with the existing domino ldap. If someone has already made a plugin it will be nice, if not we will make one. I noticed there are 5 plugins in the DSP plugin directory but the server loads only 4. Let's say we make a plugin. Would it be enough only to place it in this directory so that the server loads it? And I suppose when we have a plugin a new section should appear in the directory service connectors, right? In short after creating the plugin what else should be done?

                                                        • Problem with AccessPoint login page
                                                          Lars Helmer

                                                          glad to hear you are making progress.

                                                          the qlikview sdk is available with the server installation msi, but it is not installed when you select "full installation", instead you must choose custom installation and manually select it from the list.

                                                          when you've made a plugin it should be enough to put it in the DSP plugin folder and restart the DSC, and it should show up in the QEMC. but as i wrote in an earlier post, the login.htm page is made for autheticating with the custom users provider, if you want to authenticate elsewhere (e.g., domino ldap) you need to modify / replace login.htm.

                                                          which plugin is the 5th that doesn't get loaded?

                                                          cheers,

                                                          lars

                                                            • Problem with AccessPoint login page

                                                              The log says:

                                                              19.11.2009 ?. 03:22:28.9375000 Information Initializing root
                                                              19.11.2009 ?. 03:22:29.2968750 Information Loading DSP plugins
                                                              19.11.2009 ?. 03:22:29.4062500 Information Scanning directory C:\QvServer\Directory Service Connector\DSPlugins
                                                              19.11.2009 ?. 03:22:29.4062500 Information Loading file C:\QvServer\Directory Service Connector\DSPlugins\ActiveDirectory.dll
                                                              19.11.2009 ?. 03:22:29.4218750 Information Loaded plugin Active Directory
                                                              19.11.2009 ?. 03:22:29.4218750 Information Loading file C:\QvServer\Directory Service Connector\DSPlugins\CustomDirectory.dll
                                                              19.11.2009 ?. 03:22:29.6562500 Information Loaded plugin Custom Directory
                                                              19.11.2009 ?. 03:22:29.6562500 Information Loading file C:\QvServer\Directory Service Connector\DSPlugins\LocalDirectory.dll
                                                              19.11.2009 ?. 03:22:29.6562500 Information Loaded plugin Local Directory
                                                              19.11.2009 ?. 03:22:29.6562500 Information Loading file C:\QvServer\Directory Service Connector\DSPlugins\QVSProvider.dll
                                                              19.11.2009 ?. 03:22:29.7031250 Information Loading file C:\QvServer\Directory Service Connector\DSPlugins\WindowsNT.dll
                                                              19.11.2009 ?. 03:22:29.7031250 Information Loaded plugin Windows NT
                                                              19.11.2009 ?. 03:22:29.7031250 Information Loaded 4 plugins

                                                              May be QVSProvider is not a plugin?

                                                              You didn't say anything about mistaken passwords? To assume there is no functionality in the login page that tells you when you mistake your password?

                                                              Yes we've installed the QlikVview SDK in it's folder we can find help about building a plugin, right?

                                                                • Problem with AccessPoint login page
                                                                  Lars Helmer

                                                                  you can disregard the QVSProvider, it is a leftover from 8.5 and is no longer used.

                                                                  about the lack of feedback in login.htm, it "works as designed", even though one could hope the design is revised somewhere down the line...

                                                                  yes, in the qlikview sdk there should be some documentation of the interface and a very simple example using an xml file as a user catalogue. also a visual studio project called publishersdk with the interfaces that you need to implement.

                                                                  cheers,

                                                                  lars

                                                                  • Problem with AccessPoint login page

                                                                    I am also facing one problem ..

                                                                     

                                                                    When i am accessing Qv Access Point it is showing blanks in all the drop down list . Can any body explain me why this is happening ...

                                                                  • Problem with AccessPoint login page

                                                                    Hi lhr,

                                                                    If I wanted to authenticate against domino, you mention that I need to have the customize login page. Is this login page need to be pointed to domino LDAP and validate against it? What if the company already had this customize login page,what I need now is basically concentrate on the ticketing?